Client Push Installation

Last week my post was about using the Client Push Installation on WORKGROUP systems and this week my post will be a sort of follow-up on that. This week my post will be about using the Client Push Installation on UNTRUSTED FOREST systems. The method of last week will also work on UNTRUSTED FOREST systems, but the nice thing about ConfigMgr 2012 is that there are now better options for UNTRUSTED FOREST systems! The systems and domain(s) of the UNTRUSTED FOREST can be discovered AND to make it even better, it is even possible to write information to the Active Directory!

Prerequisites

Before it is possible to use the Client Push Installation on UNTRUSTED FOREST systems, there are a few things to keep in mind. The following points are a prerequisite and, besides the Active Directory Forest and the Active Directory System Discovery, they are not further explained in this post:

The FQDN of the Management Point system can be resolved on the UNTRUSTED FOREST systems.

The UNTRUSTED FOREST can be resolved on the site server (and domain).

The Active Directory of the UNTRUSTED FOREST is extended.

The Client Push Installation Account has administrative rights.

The UNTRUSTED FOREST is added as an Active Directory Forest.

The Active Directory System Discovery is enabled to find the UNTRUSTED FOREST systems.

Pre-configuration

Normally I leave the prerequisites for what they are, but in this case it all stands-or-falls with the configuration of the Active Directory Forest and the Active Directory System Discovery. So I will first show in two steps how to pre-configure the Active Directory Forest and the Active Directory System Discovery, before I will show how to configure the Client Push Installation.

The first step is to add the UNTRUSTED FOREST as a Active Directory Forest, so it can also write the site information to that Active Directory, and that can be done by following the next steps:

In the Home tab, click Properties and the Active Directory System Discovery Properties will show.

On the General tab, click <YellowStar> and the Active Directory Container popup will show.

Fill in with Path <aLDAPPath>, select Specify an account, Set<aAccount> and click OK.

Note: <aAccount> needs to have the appropriate security rights to discover objects in the Active Directory of the UNTRUSTED FOREST.

Configuration

Now let’s start with the real configuration! After doing all the discoveries it is possible to configure the Client Push Installation for UNTRUSTED FOREST systems. The configuration of the Client Push Installation is actually the easiest part this post. To configure Client Push Installation for UNTRUSTED FOREST systems follow the next steps:

On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.

Fill in with User name<DOMAINNAME>\<USERNAME> with the corresponding password in the appropriate fields and click OK.

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is still the CCM.log, but as I showed that last week already I will now show a snippet of the ccmsetup.log. This log shows that it successfully retrieves information from the Active Directory during the client installation. After the installation was successful the client will show up in the console as an active client with as Domain<DOMAINNAME>.

This week my post will be about using the Client Push Installation on WORKGROUP systems. We all know that a manual installation will work on WORKGROUP systems, but wouldn’t it be easier to just use the Client Push Installation? In my opinion the answer would be, YES! And as long as the WORKGROUP systems are configured the same, the configuration is actually quite easy.

Prerequisites

Before it is possible to use the Client Push Installation on WORKGROUP systems, there are a few things to keep in mind. The following points are a prerequisite and are not further explained in this post:

The FQDN of the Management Point system can be resolved on the WORKGROUP system.

The Network Discovery is enabled to find the WORKGROUP systems.

The Client Push Installation Account has administrative rights.

Configuration

Now let’s start with the configuration! It is possible to configure the Client Push Installation for WORKGROUP systems, because it is possible to use a variable in the accounts used for a Client Push Installation. So this makes it possible to also configure local accounts. To configure Client Push Installation for WORKGROUP systems follow, at least, the following steps:

On the Accounts tab, click <YellowStar> > New Account and the Windows user Account popup will show.

Fill in with User name%COMPUTERNAME%\<USERNAME> with the corresponding password in the appropriate fields and click OK.

On the Installation Properties tab, fill in as Installation Properties, at least, SMSSITECODE=XXX SMSMP=<FQDN_MP>.

Results

After the configuration is done it is time to take a look at the results. The best place to look at the results is in the CCM.log after a Client Push Installation on a WORKGROUP system is performed. This log shows that it first tried my domain credentials. After the domain credentials failed it used the local credentials, which are configured via the COMPUTERNAME variable, as second. After the installation was successful the client will show up in the console as an active client with as DomainWORKGROUP.

Sometimes its good to freshen-up some “hidden” knowledge. Its somewhere in your head, but it just needs to be freshened. One of these things is the Client Push Installation. In this post I will try to tell the story of the server side.

Prerequisites for Client Push Installation

To be able to do a successful Client Push Installation, the following prerequisites need to be met:

There must be a Client Push Installation –account defined in the Accounts tab of the Client Push Installation Properties.

The Client Push Installation –account must be a member of the local Administrators group on the targeted computer.

The targeted computer must have been discovered a ConfigMgr discovery method.

Select Client Push Installation and click in the Actions pane Properties to open the Client Push Installation Properties.

On the General tab select Enable Client Push Installation to Assigned Resources.

(Prerequisite) On the Accounts tab specify an account to use when connecting to the targeted computer to install the client software.

(Optional) On the Client tab specify any additional installation properties and click Ok.

Important (!): The specified installation properties, on the Client tab, must be for the client.msi. Also, the specified installation properties are published to the Active Directory if the schema is extended. These properties are used by client installations where the ccmsetup is run with no installation properties.

Method 2: Manual Client Push Installation

(Prerequisite) On the Accounts tab (of the Client Push Installation Properties) specify an account to use when connecting to the targeted computer to install the client software.

Select the collection or computer in a collection you want to push the client to. Right-click the computer or collection and then select Install Client to launch the Client Push Installation wizard and click Next.

On the Installation options page, specify the client installation options that should be used and click Next.

Review the installation settings, and click Finish to close the wizard

The Client Push Installation server-side –process

After a Client Push Installation is initiated a Client Configuration Request (CCR) –record gets created for each targeted computer. These records are created in <InstallationDirectory>\inboxes\ccr.box.

As soon as the CCR –record gets processed it will be moved to <InstallationDirectory>\inboxes\ccr.box\inproc.

Based on the information of the CCR –record there will be a connection to the ADMIN$ share on the targeted computer.

After the connection with the ADMIN$ was successful there will be a connection with the registry (IPC$), of the targeted computer, to gather information.

Now the file copying will start. The MobileClient.tcf (from <InstallationDirectory>\bin\I386), the ccmsetup.exe and any needed updates (from <InstallationDirectory>\Client) are downloaded to ADMIN$\ccmsetup on the targeted computer.

After this the last thing that happens from the server-side is the verification whether the ccmsetup service is started successfully or not. When the ccmsetup –service is started successfully the CCR –record will be deleted and when the ccmsetup –service is not started (or created) successfully the CCR –record will be moved to <InstallationDirectory>\inboxes\ccrretry.box. Standard behavior is that those records get evaluated every hour.

Extra: If a installation fails and you want to prevent it from retrying every hour, just delete the corresponding CCR –record from the ccrretry.box.

One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.

Exceptions for the Windows Firewall

To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:

Award

Subscribe to updates

About

I’m Peter van der Woude, born in 1983 and I’m living together with my wife and two sons in the Netherlands.

Currently I work for KPN Consulting. At this moment my main focus is Enterprise Client Management via Microsoft Intune and/ or System Center Configuration Manager (ConfigMgr 2007/ 2012/ CB) and I love it!